Protect Data from Quantum Computers

Guide

How to Protect Your Data from Quantum Computers

14 min read

The Quantum Threat Is Not Hypothetical

Quantum computers will break most of today's encryption. This is not speculation or fear-mongering. It is a mathematical certainty based on Shor's algorithm, published in 1994 and verified by every cryptographer who has examined it since. The only question is when quantum hardware becomes powerful enough to run the algorithm at scale.

The timeline matters because of a strategy called "harvest now, decrypt later." Intelligence agencies and sophisticated attackers are already recording encrypted internet traffic and storing it in massive data centers. They cannot read it today. But when quantum computers mature, they will decrypt everything they have collected. Your medical records from 2024, your financial transactions, your private messages, and your legal documents could all become readable.

If your data needs to stay secret for more than 10 years, you should already be concerned. If it needs to stay secret for 20 years or more (medical records, legal documents, government secrets), the situation is urgent.

Time-Sensitive: Data you encrypt today with RSA-based tools can be stored by adversaries now and decrypted when quantum computers mature. The NSA's CNSA 2.0 guidance mandates that all National Security Systems transition to post-quantum cryptography by 2035, with software implementations starting immediately.

What Data Is Actually at Risk?

Not all encryption is equally vulnerable. Understanding what breaks and what survives helps you prioritize.

Vulnerable to Quantum Attack

Any system that uses public-key cryptography for key exchange is at risk. This includes:

• RSA (used in email encryption like PGP/GPG, many VPNs, older TLS connections): Shor's algorithm factors the large numbers RSA relies on. RSA-2048, which would take a classical computer 300 trillion years to break, could fall in hours on a sufficiently large quantum computer.
• ECDH/ECDSA (used in modern TLS, SSH, Signal, WhatsApp, cryptocurrency wallets): Shor's algorithm solves the elliptic curve discrete logarithm problem. All key sizes are vulnerable.
• Diffie-Hellman (used in some VPNs and older protocols): Same vulnerability as RSA. The discrete logarithm problem is efficiently solvable by quantum computers.

Safe from Quantum Attack

Symmetric encryption like AES is not broken by quantum computers. Grover's algorithm provides a quadratic speedup, which means it effectively halves the key length. AES-256 becomes roughly equivalent to AES-128, which is still considered secure. AES-128 becomes equivalent to AES-64, which would be too weak. The solution is simple: use AES-256, and you are fine.

The problem is that AES alone cannot protect data in transit. Two computers that have never communicated before need a way to establish a shared AES key. That key exchange step currently relies on RSA or ECDH, both of which are quantum-vulnerable. If an attacker records the key exchange, they can later use a quantum computer to extract the AES key from it, and then decrypt everything. The encryption itself is strong. The key agreement mechanism is the weak link.

Which Files Need Protection?

Not all data requires the same level of concern. Think about how long the data needs to remain confidential.

• Medical records: HIPAA requires protection for the patient's lifetime plus years after death. A 30-year-old's medical records from today need to remain confidential for 50+ years. They will absolutely still be sensitive when quantum computers arrive.
• Financial records: Tax returns, bank statements, investment records. Sensitivity varies but can extend 10-20 years for estate planning and legal compliance. Corporate financial data may be relevant for decades.
• Legal documents: Wills, trust documents, contracts, attorney-client communications. Many of these are sensitive indefinitely. A will encrypted today with RSA could be decrypted by an adversary in 15 years, potentially before the grantor has even passed away.
• Business intellectual property: Trade secrets, proprietary algorithms, product roadmaps, merger/acquisition documents. The competitive value of this data often lasts decades.
• Personal archives: Private photos, journals, messages. Would you want these publicly readable in 15 years? People's private correspondence has been used for blackmail, identity theft, and reputational damage.
• Cryptocurrency wallets and private keys: Bitcoin and Ethereum use ECDSA for transaction signing. A quantum computer that can solve the elliptic curve discrete logarithm problem could forge transactions and drain wallets. Unlike other data, cryptocurrency keys have direct monetary value.
• Government and military communications: Classified information can remain sensitive for 25-75 years depending on classification level. The NSA has already mandated the transition to post-quantum algorithms for all National Security Systems.

Why AES-256 Survives but RSA Does Not

This point deserves a clear explanation because it confuses many people.

RSA is based on the mathematical difficulty of factoring large numbers. A 2048-bit RSA key is the product of two roughly 300-digit prime numbers. Finding those primes from the product is extraordinarily hard for classical computers. Shor's algorithm, running on a quantum computer, can find those primes efficiently. It does not matter how large you make the RSA key. Shor's algorithm scales polynomially, meaning it can always keep up. Making the key bigger only slows the attack slightly.

AES-256 is a symmetric cipher. There is no mathematical structure for a quantum computer to exploit. The best quantum attack is Grover's algorithm, which is essentially a "smart search" that checks possible keys faster, but only by a square root factor. For AES-256, this means checking 2^128 possibilities instead of 2^256. That still requires an astronomical number of operations. 2^128 is roughly 340,000,000,000,000,000,000,000,000,000,000,000,000 operations. Even a quantum computer running for the lifetime of the universe could not complete this search.

This is why quantum-safe encryption combines post-quantum key agreement (ML-KEM, which replaces RSA/ECDH) with classical symmetric encryption (AES-256-GCM, which does not need replacing). The key agreement step is the part that needs to be quantum-resistant. The actual data encryption using AES-256 is already safe.

Practical Steps: What You Can Do Right Now

For Individuals

1. Identify your most sensitive files. Medical records, financial documents, legal papers, cryptocurrency wallets, private archives. Make a list.
2. Re-encrypt with quantum-safe tools. Files currently encrypted with GPG (which uses RSA or ECDH) or VeraCrypt (which uses RSA for key exchange) should be re-encrypted using post-quantum algorithms. QNSQY's free tier uses ML-KEM-512 + X25519 hybrid encryption, which protects against both classical and quantum attacks.
3. Use strong passwords. Post-quantum encryption protects the key exchange, but your password is still the first line of defense. Use a passphrase of 4 or more random words, or 16+ characters of mixed types. QNSQY processes passwords through Argon2id, which requires 128 MB of memory per attempt, making brute-force attacks extremely expensive. But Argon2id cannot compensate for a password like "password123."
4. Store encrypted backups in multiple locations. Files encrypted with quantum-safe algorithms are safe to store on cloud services (Google Drive, Dropbox, iCloud). Even if the cloud provider is compromised, the encryption protects the contents. Keep copies in at least two separate locations.

For Organizations

1. Conduct a cryptographic inventory. Identify every system that uses RSA, ECDH, or other quantum-vulnerable algorithms. This includes TLS certificates, VPN configurations, database encryption, backup encryption, code signing, and email encryption.
2. Prioritize by data sensitivity and lifetime. Data that must remain confidential for 10+ years should be migrated first. Patient records, financial data, trade secrets, and government-classified information are top priorities.
3. Adopt hybrid cryptography. During the transition period, use hybrid systems that combine post-quantum and classical algorithms. This protects against quantum attacks while maintaining backward compatibility and insurance against unforeseen weaknesses in new algorithms.
4. Plan for algorithm agility. Build systems that can swap cryptographic algorithms without rewriting entire applications. NIST may update or replace algorithms as the field evolves. Hardcoding a single algorithm into your architecture creates long-term risk.
5. Re-encrypt archived data. Old backups and archives encrypted with RSA or ECDH are a ticking time bomb. Schedule re-encryption using post-quantum algorithms.

Understanding the Protection Layers

When you encrypt a file with QNSQY, multiple independent algorithms protect your data at different layers:

Layer	Algorithm	What It Does
Password Processing	Argon2id (128 MB memory, multiple iterations)	Turns your password into a cryptographic key. Memory-hard design makes GPU/ASIC brute-force attacks economically infeasible.
Key Agreement	ML-KEM-512 + X25519 (hybrid)	Two independent key encapsulation operations. ML-KEM resists quantum attacks. X25519 is proven against classical attacks. Both must be broken to compromise the key.
Data Encryption	AES-256-GCM	Encrypts the actual file contents. Authenticated encryption detects any tampering. AES-256 is quantum-safe (Grover's algorithm only reduces it to 128-bit equivalent security).
Integrity Verification	BLAKE3	Cryptographic hash of the entire encrypted file. Detects any modification, corruption, or truncation.

Each layer addresses a different threat. Argon2id handles password guessing. Hybrid ML-KEM + X25519 handles key compromise (both classical and quantum). AES-256-GCM handles data confidentiality and authentication. BLAKE3 handles file integrity. An attacker would need to defeat all four layers simultaneously to access your data.

The Harvest Now, Decrypt Later Problem

The most dangerous aspect of the quantum threat is that it operates retroactively. An attacker does not need a quantum computer today to threaten your data. They only need to record your encrypted data today and wait.

This strategy, called "harvest now, decrypt later" (HNDL), is well-documented and acknowledged by intelligence agencies on all sides. The NSA's CNSA 2.0 guidance implicitly acknowledges HNDL by mandating immediate action on post-quantum migration, years before quantum computers are expected to arrive. The reasoning is straightforward: if you wait until quantum computers exist to switch to quantum-safe encryption, all the data you transmitted before the switch can be retroactively decrypted.

Consider a concrete example. A hospital sends a patient's MRI results to a specialist via encrypted email using standard TLS with ECDH key exchange. An adversary with access to the network path (which could be an intelligence agency tapping an undersea cable, a compromised router at an ISP, or a state-sponsored attacker) records the encrypted session. Today, they cannot read it. In 15 years, they use a quantum computer to extract the ECDH session key and decrypt the email. The MRI results, along with the patient's name, diagnosis, and treatment plan, are now exposed.

The patient is still alive. The information is still sensitive. And there is nothing anyone can do to un-expose it.

This is why the time to switch to quantum-safe encryption is now, not when quantum computers arrive. Encryption protects data in the future, but the encrypted form of that data exists in the present. If the present-day encryption is quantum-vulnerable, the future protection is illusory.

The Real Quantum Threat Timeline

Understanding the timeline helps you calibrate urgency. Nobody knows exactly when quantum computers will be able to break current encryption, but several credible organizations have published estimates.

NIST began the post-quantum standardization process in 2016, stating that cryptographically relevant quantum computers were likely 15 to 20 years away. That puts the window at 2031 to 2036. The Global Risk Institute's 2023 survey of 37 quantum computing experts found a 50% probability of a cryptographically relevant quantum computer by 2033. The NSA's CNSA 2.0 guidance, published in 2022, mandates that all National Security Systems begin transitioning to post-quantum cryptography immediately, with full migration required by 2035.

Google's Quantum AI team achieved a significant milestone in 2024 with the Willow chip, demonstrating 105 qubits with error correction rates below the threshold needed for fault-tolerant computation. While still far from the millions of physical qubits needed to break RSA-2048, this demonstrates that quantum error correction, long considered the primary engineering bottleneck, is making real progress.

The honest assessment: cryptographically relevant quantum computers are probably 10 to 20 years away. But "probably" is not a guarantee. Breakthroughs in quantum error correction or novel qubit architectures could accelerate the timeline. And more importantly, the "harvest now, decrypt later" threat means that data encrypted today is already at risk if it needs to remain secret longer than the time until quantum computers arrive.

What the Transition Looks Like for Different Users

Individual Users

If you are an individual with sensitive files (medical records, financial documents, personal archives), the transition is straightforward. Install a quantum-safe encryption tool, re-encrypt your most sensitive files, and use quantum-safe encryption for all new sensitive data going forward. The entire process can be completed in an afternoon for personal use.

Small and Medium Businesses

For organizations, the transition involves more planning. Start by inventorying all systems that use encryption: VPN configurations, TLS certificates, database encryption, backup systems, email encryption. Prioritize systems that handle data with long sensitivity lifetimes (customer records, financial data, intellectual property). Adopt quantum-safe tools for data encryption first, as this is the easiest change. Then work with your IT team or managed service provider to plan the transition for network protocols.

Large Enterprises and Government

Large organizations typically need 3 to 7 years for a full cryptographic transition. This includes discovery (finding all cryptographic dependencies), testing (ensuring new algorithms work with existing systems), deployment (rolling out changes across the organization), and verification (confirming that all systems have been migrated). NIST recommends starting with "crypto-agile" architectures that can swap algorithms without rewriting applications, then migrating to post-quantum algorithms as part of normal upgrade cycles.

Common Questions

Is AES-256 enough on its own?

AES-256 is quantum-safe for encrypting data, but it cannot help two parties agree on a shared key over an insecure channel. You need a key agreement mechanism (like ML-KEM) to establish the AES key in the first place. If the key agreement is quantum-vulnerable (RSA or ECDH), the AES encryption provides no protection because the attacker can simply extract the key.

Is the free version of QNSQY actually secure?

Yes. The free version uses ML-KEM-512 + X25519 for key encapsulation and AES-256-GCM for data encryption. These are the same NIST-standardized algorithms used in paid tiers. The free tier has a 100 MB file size limit and uses the Level 1 security parameter (ML-KEM-512), which provides 128-bit post-quantum security. Paid tiers add access to higher security levels (ML-KEM-768 at Level 3, ML-KEM-1024 at Level 5) and features like batch encryption, vault storage, and threshold encryption.

Can I decrypt files on another computer?

Yes. The .qs file contains everything needed for decryption except your password. Install QNSQY on any supported platform (Windows, macOS, Linux), provide the same password, and the file decrypts. The file format is platform-independent.

What happens if I forget my password?

QNSQY has no backdoor, no recovery mechanism, and no master key. If you forget your password, your data is permanently unrecoverable. This is a deliberate security design: any recovery mechanism would be a potential attack vector. Use a password manager, or write down your passphrase and store it in a physically secure location (a safe, a safety deposit box).

Why Act Now Rather Than Later

Every month you delay is another month of data that could be harvested and stored by adversaries waiting for quantum computers. But the urgency goes beyond the harvest-now-decrypt-later threat.

Cryptographic transitions are historically slow. The migration from DES to AES took over a decade. Some systems were still using DES 15 years after AES was standardized. The migration from SHA-1 to SHA-2 took even longer, with major web browsers not dropping SHA-1 support until 2017, over six years after SHA-1 was officially deprecated.

Organizations with large deployed systems need years to plan, test, and roll out cryptographic changes. If the quantum computer timeline is 10 to 15 years, and the migration timeline is 3 to 7 years, the window for action is already closing. Starting now provides the time needed for a careful, thorough transition rather than a panicked, error-prone one.

For individuals, the situation is simpler but no less important. You can start protecting your files today with freely available quantum-safe encryption tools. There is no cost, no performance penalty, and no technical barrier. The only risk is in not acting.

Sources

1. NIST IR 8105: Report on Post-Quantum Cryptography
2. NSA CNSA 2.0: Commercial National Security Algorithm Suite 2.0
3. NIST FIPS 203: ML-KEM Standard
4. RFC 9106: Argon2 Memory-Hard Function for Password Hashing

Related Articles

• What is Post-Quantum Cryptography?
• Harvest Now, Decrypt Later Threat
• Why Hybrid Encryption Matters
• AES-256-GCM: The Encryption Standard Explained

Learn About Quantum Encryption

---

Originally published at quantumsequrity.com.